Page Comparison

Excerpt

hidden	true

Caveats

Supported Platforms

Due to the complex nature of this configuration, Atlassian is only able to provide support if your configuration satisfies these additional conditions:

Confluence must be installed as a stand-alone Tomcat application server.
The only supported operating systems for this configuration are Windows Server 2003, Windows Server 2008 and Windows Server 2012.
The server must be a member of the same Active Directory domain that contains the user records that will be authenticated.
Confluence must be configured to use LDAP integration to Active Directory for user management.

Additional Dependencies

Using this configuration adds a number of additional dependencies to Confluence, which you should review.

Custom Seraph Authenticator

This configuration requires the use of a specialized Seraph authenticator for Confluence. Install and configure this component on the server that host Confluence. If you are already using a different custom Seraph authenticator, you may not be able to use this configuration. In this situation, you must either choose a different configuration for the SharePoint Connector or consider developing a new custom Seraph authenticator that aggregates the functionality of both.

Note

title	No support for custom authenticators

Please note that we are unable to provide support for any custom authenticators not written or explicitly supported by Atlassian.

Custom ISAPI Filter

This configuration requires the use of a custom ISAPI filter for IIS that can communicate using AJP. Install and configure this component on the server that has IIS installed. Atlassian will only support the use of the open source Tomcat Connector provided by the Apache Tomcat project.

Note

title	Limited support for third-party software

Please note that Atlassian is unable to provide in-depth support for problems encountered with the Tomcat Connector, as this software is written and maintained by the Apache Software Foundation. Atlassian will assist with ensuring the correct configuration values are applied and capturing diagnostic information, but any issues encountered with the Tomcat Connector must be raised through the appropriate channels with the Apache Tomcat project or with another organization that provides commercial support for Tomcat.

Anonymous Access Disabled

Due to limitations with the custom Seraph authenticator that Confluence requires for this configuration, it is not possible to set up anonymous access for Confluence when using this configuration.

Atlassian is currently reviewing the suitability of using the third-party NTLM Authenticator for Confluence instead.

Known issues

These are some reported problems with this configuration:

The user is not able to explicitly log out. Even when they select the logout action, they remain logged-in.
If you log in using NTLM authentication as a user that does not exist in the AD repository, you will not see the personal menu in Confluence's top navigation bar.
You cannot fall back to using forms-based authentication or anonymous authentication.

Assumptions

This instruction assume that you install and configure Confluence, Tomcat and IIS on the same server.
It's possible that you install Tomcat and Confluence on one server and IIS on the different server. The steps are quite similar, there will be a notice at certain steps if the configuration is applicable for more than one server configuration approach.

Installation Instructions

Step 1. Configure Confluence for LDAP User Management

Tip
If you have already configured Confluence to connect to your Active Directory domain, then skip ahead to the next step.

Set up your Confluence server to synchronize its user repository with your Windows Active Directory domain. See the Confluence documentation on LDAP user management.

Step 2. Configure IIS

This and following steps guide you through the configuration required to use IIS as an NTLM authenticator for Confluence. NTLM is an authentication format developed by Microsoft. While some third-party implementations are available, IIS provides the most robust and full-featured NTLM authentication support.

Summary of this configuration:

It places the Tomcat application server running Confluence behind an IIS website configured for Integrated Windows Authentication.
IIS is then configured with a custom ISAPI handler that communicates directly with the Tomcat server using Apache JServ Protocol to serve the Confluence content back to the user.

Please follow the guide below that matches the version of your Windows Server:

Windows Server 2003: Configuring Tomcat-Connector for IIS 6.0 (Windows Server 2003)
Windows Server 2008: Configuring Tomcat-Connector for IIS 7.0 (Windows Server 2008)
Windows Server 2012: Configuring Tomcat-Connector for IIS 8.0 (Windows Server 2012 or Windows 8)

Anchor

	confluence
	confluence

Step 3. Configure Confluence for Integrated Windows Authentication

This section of the guide describes the steps necessary to configure Confluence to co-operate with the IIS Web Server.

Throughout this section, '%confluence_install%' refers to your Confluence installation directory .

Step 3.1: Set Confluence Path

Info
This step is only necessary if your IIS instance is already hosting other websites and you want to host Confluence underneath an existing site (for example, if your corporate intranet is hosted at http://intranet.company.com and you want to host Confluence at http://intranet.company.com/confluence).

Edit the %confluence_install%\conf\server.xml file.
Find the Context element in the file, and then change the path value to '/confluence'.
The line should look something like this:
Code Block
language xml
<Context path="/confluence" docBase="../confluence" debug="0" reloadable="false">
Save your changes and close the file.
Restart Confluence and verify that it is now accessible from the new path, such as http://localhost:8080/confluence.

Step 3.2: Add AJP Connector

Now you will change Tomcat's configuration, replacing the standard Coyote HTTP connector (which allows Tomcat to send and receive HTTP traffic) with a custom AJP connector (which allows Tomcat to communicate using Apache JServ Protocol).

Edit the %confluence_install%\conf\server.xml file.
Locate the Connector element and comment it out entirely.

Add a new Connector element that looks like the one below. The values that must match exactly are address, protocol and tomcatAuthentication:

Code Block

language	xml

<Connector port="8009" address="127.0.0.1" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" tomcatAuthentication="false" URIEncoding="UTF-8" />

Info

If IIS is not located on the same server as Confluence, then the key value pair address should be omitted.

<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3"

tomcatAuthentication="false" URIEncoding="UTF-8" />

Ensure that your server.xml file now contains only a single Connector definition. You still have the option to have more than one Connector elements definition but in this configuration we recommended that only one Connector element definition is used.
Save your changes and close the file.
Restart Confluence and ensure that the server initializes successfully.

Step 3.3: Add Custom Authenticator

Include Page

	_Configure Custom Authenticator
	_Configure Custom Authenticator

Step 3.4: Modify Base URL

The final step in configuring Confluence is to modify the Server Base URL to point to the IIS web site, rather than directly to Confluence. This ensures that any hyperlinks generated within Confluence pages will direct users through the IIS website. For example, if your Tomcat server runs Confluence on http://intranet.company.com:8080/confluence and the IIS web site runs on http://intranet.company.com, then the Confluence Base URL needs to be changed to http://intranet.company.com/confluence.

See the Confluence documentation for instructions on modifying the Base URL.

Step 4. Set Client Browser Options

In order for users to be automatically logged in to Confluence without being prompted for their username and password, the browser must be correctly configured for pass-through authentication.

Please instruct all users to ensure that the recommended browser settings are applied.